Enabling GCP Services in Guardrails

This section details the steps required to enable services for a GCP Project. Alternatively, you can use the gcp_services baseline which automates this process.

All supported services have an Enabled policy.

  • GCP > Storage > Enabled
  • GCP > Compute Engine > Enabled
  • GCP > BigQuery > Enabled

You should enable any services that users are allowed to use. By default, the value of these policies is set to Disabled. When a service is disabled, users granted permissions to cloud accounts via Guardrails will not be able to manage the service. Additionally, other policies may reference this policy to determine their behavior. For example, the default behavior of the Approved control is that any resources are unapproved unless the service is enabled.

# GCP > Storage > Enabled
resource "turbot_policy_setting" "gcp_storage_enabled" {
resource = "id of account or parent folder/smart folder" //highlight-line
type = "tmod:@turbot/gcp-storage#/policy/types/storageEnabled"
value = "Enabled"
}

GCP allows explicitly enabling and disabling APIs, and Guardrails provides a policy to set this as well. You should enable this policy for any service that you intend to use. By default, the value will be set to “Skip” thus Guardrails will not modify the setting. For example:

  • GCP > Storage > API Enabled
  • GCP > Compute Engine > API Enabled
  • GCP > BigQuery > API Enabled

Generally, you should set the API Enabled policy to align with the Enabled policy. For example, The GCP > Compute Engine > API Enabled policy should be set to "Enforce: Enabled if Compute Engine > Enabled".

# GCP > Storage > API Enabled
resource "turbot_policy_setting" "gcp_storage_api_enabled" {
resource = "id of account or parent folder/smart folder" //highlight-line
type = "tmod:@turbot/gcp-storage#/policy/types/storageApiEnabled"
value = "Enforce: Enabled if Storage > Enabled"
}

Disabling an API may cause CMDB and Discovery errors from controls for the service. Admins can get rid of the discovery errors by setting the relevant CMDB policies to Skip.

For example, if the Storage API is not enabled in GCP, the GCP > Storage > Bucket > Discovery controls will be in error, as they do not have the required access to discover the bucket resources. Changing the CMDB policy to skip will cause the Discovery control to skip as well.